The LiteLLM Supply-Chain Attack That Exposed Mercor
A LiteLLM supply-chain attack exposed Mercor to class-action lawsuits and a possible 4TB data leak — biometric footage and PII for 40,000 workers.
SAN FRANCISCO — A late-March supply-chain attack that inserted malicious builds into the widely used LiteLLM package has left Mercor — a $10 billion AI staffing and data-labeling platform — defending multiple class-action suits and navigating a business freeze that reverberated across major AI labs this April. Investigations and court filings now provide a clearer, consolidated timeline tying the incident to a narrow window of attacker activity and a broader failure across the open-source and compliance ecosystem.
Attack Mechanics
The attack began when the threat group tracked as TeamPCP exploited a GitHub Actions workflow vulnerability in Trivy, the open-source container scanner used by many CI/CD pipelines. That compromise allowed the attackers to harvest publishing credentials from LiteLLM's CI runner and push two malicious PyPI releases — LiteLLM 1.82.7 and 1.82.8 — on March 24.
The malicious packages were available on PyPI for only minutes to a few hours. Mercor's automated dependency pipeline pulled the compromised builds during that brief window, installing a payload that extracted SSH keys, cloud credentials, and Kubernetes secrets. The attack followed a classic supply-chain escalation: a vulnerability in one widely-trusted tool provided the foothold to compromise another, whose brief exposure was enough to reach high-value downstream systems.
Exposure Scope
Within days of the initial compromise, the extortion group Lapsus$ claimed to have obtained approximately 4 terabytes of Mercor data. Court filings and reporting indicate the stolen cache included Social Security numbers, bank details, and government IDs for roughly 40,000 contractors; thousands of high-definition video interviews and facial biometric verification footage; approximately 939 GB of internal source code; and surveillance screenshots, labeling protocols, and interview-scoring rules from active AI training pipelines.
Plaintiffs are pursuing claims ranging from negligence and invasion of privacy to violations of state AI-video laws.
Business Fallout
Business fallout was swift. Major customers including Meta paused work with Mercor in early April while legal and forensic teams probed the scope of exposure. Other AI labs reportedly reviewed or halted pipelines that ingested Mercor-sourced training material.
The pause's rationale extended beyond exposed contractor IDs. Investigators and corporate sources warned that the breach may have leaked labeling protocols, interview-scoring rules, and other proprietary training processes embedded in Mercor's data flows — meaning the exposure could affect the AI labs themselves, not just the contractors whose personal data was stolen.
The Compliance Gap
The incident also exposed gaps in the startup compliance market. Mercor had relied on security attestations from Delve Technologies. Whistleblower allegations and reporting claim those audits were largely automated and superficial, prompting questions about the reliability of compliance badges for suppliers that feed frontier AI models.
Delve has faced separate scrutiny and personnel changes in the weeks since the breach — raising broader questions about whether the compliance-attestation ecosystem is adequate for the level of trust placed in AI training vendors.
Technical Forensics
Security experts describe the incident as a classic supply-chain escalation: unpinned or permissive CI dependencies in Trivy actions enabled token theft from LiteLLM's CI runner, which led to short-lived malicious PyPI releases, which were then pulled automatically by downstream consumers including Mercor.
Experts note that the brevity of the exposure window — minutes to a few hours — made detection difficult but did not limit the attack's impact. Many organizations default to pulling the "latest" version of dependencies in CI and production pipelines, meaning a brief malicious window is sufficient to compromise downstream systems at scale.
Legal and Operational Impact
On the legal front, at least five federal suits filed in April seek class status, with additional filings likely as plaintiffs consolidate discovery. Remedies sought include statutory damages, injunctive relief, and enhanced data-protection obligations for vendors.
For contracting and operations, customers have demanded audits and temporary pauses. Contractors on Mercor's platform have been advised to freeze credit, change exposed credentials, and follow breach-mitigation guidance from Mercor and outside counsel.
Across the industry, companies are reassessing dependency-pinning, CI hardening, and third-party audit standards. Some have moved to stricter supply-chain controls and independent audits for critical open-source components used in AI training pipelines.
Mercor's Position
Mercor has acknowledged being "impacted" by the LiteLLM compromise and says it is working with third-party forensics firms. The company disputes speculative claims in lawsuits and has not confirmed the full scope of exfiltration. LiteLLM's maintainers and other affected open-source projects have issued mitigations, rotated compromised tokens, and revised CI policies to reduce similar risks going forward.
Systemic Risk
Security analysts warn this episode is a template for future attacks: adversaries will increasingly weaponize brief supply-chain windows to reach high-value downstream targets. The commercial ecosystem's reliance on automated compliance seals and large third-party open-source components creates systemic fragility for the AI training supply chain.
Policymakers and corporate buyers now face pressure to require stronger provenance, attestations, and independent audits for suppliers that process sensitive human data used to train foundation models. Whether the lawsuits, audits, and technical fixes produce durable change — or merely temporary hardening — will be a key watchpoint for the AI industry through mid-2026.
Mitigation Steps
Security experts recommend immediate steps for contractors who suspect exposure. First, freeze credit reports at all three major bureaus — Equifax, Experian, and TransUnion. Second, rotate cloud and service credentials, including any API keys, SSH keys, or tokens that may have been visible to active screen-monitoring tools. Third, review banking and tax forms for signs of identity misuse.
Contractors should also follow any official notices from Mercor or counsel. Plaintiffs' counsel are organizing intake for potential class members; those seeking remediation options should consult counsel listed in the public court filings.
Related reading
Mercor review — full breakdown of how Mercor works, what contractors earn, and what to know before applying.
Is AI training legit? — how to verify a platform's security practices before sharing personal data.
Best AI training platforms compared — alternatives to consider while Mercor's breach response is ongoing.
Running multiple platforms at once — how to diversify so a single platform's incident doesn't stop your income.
Pietro R.
MSc Human-Computer Interaction | Founder & Product Owner
Pietro is the founder and technical lead of aitrainer.work. He builds and maintains the platform's data pipeline, certification infrastructure, and editorial standards.